05/08/10 Oracle Confidential Most regulated information originates and concentrates in databases. Oracle offers industry-leading database security options for its database. Worth starting to secure information at source (losing a database is worse than losing a file). Myriad end users access regulated information in databases via business applications (HR self-service, CRM, etc.). Oracle Identity Management offers industry-leading identity and access management governing end user/application access to regulated information. Centralised and consistent policy control and auditing across Oracle and non-Oracle applications. Industry leadership in this area extended by Sun acquisition. End users copy information beyond databases and applications, generally in the form of documents (e.g. sensitive reports). These copies proliferate hugely in number and location (e.g. to unmanaged servers and web sites and corporate and home computers, inside and outside the firewall). Oracle IRM uses encryption to retain control over all copies of these sensitive documents, regardless of where they are located, inside and outside the firewall. Oracle is doing more than just reorganising its security sales forces to sell database security, IAM and IRM together. It is engineering the product suites to work together so that enterprises can consistently and cost-effectively manage the security of their most sensitive and regulated information – in the database and application layers and beyond.
Many organizations today are exposed to the risk of losing valuable information which resides in emails and documents. Financial information, mergers and acquisition activity, engineering and research data, often resides in Word, Excel or PDF documents and when lost can have significant impact to your business. Regulations specify controls must be in place when handling classified content, failing to comply with these regulations can result in fines. Losing your intellectual property to competitors reduces your effectiveness in the market place. Often such incidents are reported by the popular press which has a severe impact to your company brand and your customers lose confidence in your ability to protect their information.
Over the past few years we have seen many examples of organizations losing important information. This is exposure you do not desire.
6/ 10 Research also reveals that a high percentage of data loss happens by mistake or through pure negligence and only a small amount of incidents happen internally where your existing security infrastructure is implemented. These risks are increasing as more and more business use cases involve the collaboration of sensitive content with external parties, parties who don’t employ the same importance on protecting your information and accidently lose it.
Database security not enough Select / report / applications API Web service Your business has of course deployed security solutions for content that resides internally. Take SharePoint for instance, different folders provide different access controls to documents. Yet when these documents are taken out of SharePoint, say by emailing to someone, the security doesn’t travel with them. Instead security is applied at each location the content could reside. But this is a constant struggle when the digital information doesn’t respect your security perimeters, they can be stored on USB devices, external hard drives, CDs etc. Information proliferates. Between share filed systems, email, intranets, extranets and thousands of desktops inside and outside the firewall. Red boxes: If you are looking for conventional information security to provide with compliance, records management & content management. Today, at best you are really only managing a small subset of your information within these systems.
But the problem doesn’t stop there. Your business requires that information is shared beyond your enterprise, to customer, partners and suppliers. Yet you cannot enforce the same level of security on their firewalls and content repositories. The previous slide shows the perimeters of existing systems, but which perimeters are we talking about? Many business processes, for example with Oracle acquiring other companies, information is shared with external parties such as customers, partners and people working at home.
Your business has of course deployed security solutions for content that resides internally. Take SharePoint for instance, different folders provide different access controls to documents. Yet when these documents are taken out of SharePoint, say by emailing to someone, the security doesn’t travel with them. Instead security is applied at each location the content could reside. But this is a constant struggle when the digital information doesn’t respect your security perimeters, they can be stored on USB devices, external hard drives, CDs etc. Information proliferates. Between share filed systems, email, intranets, extranets and thousands of desktops inside and outside the firewall. Red boxes: If you are looking for conventional information security to provide with compliance, records management & content management. Today, at best you are really only managing a small subset of your information within these systems.
Wouldn’t it be nice if you could solve this problem? Have control over content no matter where it exists, beyond your networks. Imagine if you could produce evidence that regulatory controls had been put in place by showing every single access to controlled content by authorized users.
In summary, Oracle IRM is the leading document rights management technology and our customers have chosen it for the immediate reduction in costs and increase in security it brings. But as important as security is, Oracle IRM delivers unprecedented ease of use and the ability to scale to very large numbers of users and documents. This balance of security, usability and manageability means your business can deploy an IRM solution without interrupting existing workflows and meet the desired security and regulatory requirements.
Offline Use Oracle IRM stores a copy of a user’s rights locally on their PC. These rights are refreshed every day via invisible synchronization with the IRM Server. This means that a user can be given an offline working period of, say, 3 days. This enables them to work with sealed documents, just as easily as if they were unsealed, without needing to connect to the internet for 3 days. However, whenever they do connect their rights are refreshed and they are given another 5 days from that point in time. Thus in reality users are never aware of refreshing their rights, all of their documents just open, regardless of when the last time they opened any given document was or even if they have never opened it before Oracle IRM daily synchronization also allows remote users to have their rights revoked at short notice. So partners at the end of a project, or employees leaving the organization, can have their access denied to all of their sealed documents the next time they synchronize. Highly sensitive data can be given shorter offline periods, or even only have access whilst online, to enable faster revocation of rights. Microsoft, Adobe, EMC, Liquid Machines All other IRM products issue a fixed length offline lease to a document only when that document is opened. If that offline period is 5 days, then it cannot be refreshed until that 5 day lease has expired. Thus it is common for offline leases to expire whilst a user is offline and unable to refresh their rights, thus being denied access to their document. Also if a user does not obtain leases for their documents before going offline (because they have never opened them before, or they haven’t opened them for some time) then again they will be denied access whilst offline. Microsoft: Revocation of rights can only be performed by a system administrator editing an XML file, the ‘revocation list’. This is effectively impractical and clearly does not scale. EMC, Adobe: Rights can only be revoked at the end of the offline lease, not during as with Oracle IRM synchronization. Search Only Oracle IRM has out-of-the-box integrations with Windows Explorer Search, Windows Indexing Service, Windows Desktop Search (on Vista) and SharePoint 2007 Indexing Search. Oracle IRM also has easy to deploy Search APIs which for example have been integrated with: Autonomy, Oracle SES, LiveLink Search, Oracle Text Microsoft, Adobe, EMC, Liquid Machines No other IRM solutions have out-of-the-box search integrations nor easy to integrate APIs enabling searching of sealed documents Thus not even Microsoft can search its own sealed documents within SharePoint, their answer is to store unprotected documents in SharePoint, which does not scale Cont..
Renault F1 wanted to be able to replicate documents when shared between 2 factories, 2 mobile teams, suppliers, sub-contractors and partners Security of documents containing technical specifications, including the “Bible” which contains all the information relating to the racing car. The solution needed to convert 80TB of documents stored in multiple repositories and with no global search functionality Necessary? See http://www.theregister.co.uk/2007/04/30/f*****i_espionage_conviction Sophisticated deployment, illustrating several key Oracle IRM differentiators Rapid (hosted) evaluation, rapid deployment Active Directory integration Windows authentication Transparent offline working (track-side) Citrix deployment (design office, Linux, Citrix) Silent MSI rollout
A key differentiator of Oracle IRM - the key to moving from initial pilot IRM deployments to successful, large-scale enterprise IRM deployments - is its unique classification-based rights model. Ignoring the text for a moment … The picture shows 8 documents: 4 sealed to one classification “Board Communications”, and 4 sealed to “Company Announcements”. The CFO is assigned a “Contributor” role, which means he can open, print and edit documents sealed to “Board Communications”. The HR Director has a similar “Contributor” role for “Company Announcements” but only has a “Reader” role for “Board Communications”. The group “All Employees” which like the users comes from an enterprise directory, are “Readers” for “Company Announcements” but cannot access documents sealed to “Board Communications”. The point of the picture is that for 8 documents there are 4 role assignments – the black dotted lines to the right of the picture. But if there were 80,000 documents – 40,000 sealed to “Board Communications” and 40,000 sealed to “Company Announcements” there would still only be 4 role assignments. This is a subtle but huge advantage for Oracle IRM, with both technical and business benefits. From the business perspective end users and business and IT administrators are presented with a simple model governing access to their information that they can understand and communicate, even at enterprise scale, because it is implemented in terms of things they already understand – classifications based on existing information classifications, or business processes or projects; their roles within these business processes; and existing organizational groupings in enterprise directories. From a technical perspective the per-classification Oracle IRM system has to manage orders of magnitude fewer rights than systems which clone per-user and per-file rights from policy templates. Far fewer rights enables the automated synchronization of rights to the desktop that provides Oracle IRM with its unique “hands free” offline working, while retaining timely revocation and up-to-date audit trails. This is not at the expense of making real-world exceptions. While Oracle IRM manages rights primarily at the level of classifications and roles it can easily make per-user and per-file exceptions – when they are needed – as compared to competing solutions which attempt to build enterprise policy on the quicksand of millions of per-user and per-file exceptions.
Oracle Information Rights Management 11g Deborah Assayag [email_address]
Oracle Security Inside Out Oracle Confidential Information Rights Management
Encryption and Masking
Privileged User Controls
Activity Monitoring and Audit
Identity Management Database Security
Risk-Based Access Control
Document-level Access Control
All copies, regardless of location (even beyond the firewall)
Auditing and Revocation
Databases Applications Content Infrastructure Information
Over 70% of data loss from lost devices and negligence
Only 12% from malicious activity
Only 18% of loss happens internally
Increasing data loss from partner collaboration
The Business Impact of Data Breach . Ponemon Institute LLC. May 15, 2007 Causes of security breaches Trends in Data Breach Sources 2008 Data Breach Investigations Report . Verizon Business. June 10, 2008
You have secured the perimeters… … but digital information is no respecter of perimeters! SharePoint Email File system Content Management Intranet/ Extranet
Which perimeter are we talking about? Many business processes involve external parties SharePoint Email File system Content Management Intranet/ Extranet
Typical methods for securing desktops Encrypt disk Prevent use of external devices Monitor information flow (DLP) OS access control Encrypt content (PGP) Prevent use of external services
Buying all these solutions is expensive
What about partners, customers, suppliers?
Massively restrict end users ability to work
Protect the content instead of location!
Security – Usability - Manageability An enterprise-class solution must balance all three aspects Secure Usable Manageable
What Single documents or groups of documents Who Single people or groups of people When Flexible start and stop times, revoke after delivery Where Single device or roaming across internet, on or offline How Open, Print, Edit, Annotate, Interact, Reply, Pause…
Oracle Information Rights Management Securing all copies of your sensitive information
Everywhere IRM-encrypted content is stored, transmitted or used
NO ACCESS FOR UNAUTHORIZED USERS
Transparent, revocable access for authorized users
Centralized policy and auditing for widely distributed content
Content security beyond the database, application and firewall
ECM Email File systems Intranet/ extranet Databases Oracle IRM Server Enterprise perimeters Customer Partner Supplier
With Oracle Information Rights Mgmt Flexible & comprehensive information protection Oracle IRM Server Oracle IRM Server Application Export Saved in Content Management Secured from the Desktop
Bespoke content management and portal integrations
Enabled the company to connect the sales force
Prevented redistribution of valuable information
Eliminated the need to maintain similar data
Confidence that information is only provided to intended recipients
Ability to revoke access to incorrect or out-of-date documents
Basic IRM Deployment Architecture IRM Server WebLogic External User DMZ (or Intranet) Internet / External Networks Corporate Network F I R E W A L L F I R E W A L L Load balancer Eg OHS F I R E W A L L Web Services LDAP Server Database Server
Classification-based rights management Manageable security at enterprise scale
Oracle IRM manages access to information in terms of
Existing business processes, such as “Board Communications”
Existing information classifications, such as “Highly Restricted”
Existing employee roles, such as “Reviewer”
Existing users/groups in enterprise directories, such as “Sales”
Oracle IRM’s classification-based rights management is the key breakthrough that enables management of encryption at enterprise scale
Because end users, business process owners and IT admins can all understand and manage it!
Classification: “Board Communications” Classification: “Company Announcements” CFO All Employees Documents Health+Safety Issues.sdoc HR procedures.spdf Sales pipeline.sxls New customers Roles Contributor Reader Reviewer Print Edit Comment Open Open Open Documents Roles Contributor Reader Reviewer Print Edit Comment Open Open Open Sales strategy Q3 Figures.sxls 2008 Business Plan.sppt ACME competitive review.sdoc HR Director